Credential phishing is a specific kind of フィッシング cyberattack that is aimed at getting users to share their credentials (typically usernames and passwords) so that the attacker can steal and use them to gain unauthorized access to email accounts, business systems, and other secure resources. This type of credential theft is a subset of phishing in general, which more broadly attempts to steal a variety of types of sensitive information—including credit card or bank account details, Social Security numbers, and valuable organizational information, such as customer data or intellectual property.
Credential phishing is a growing problem, to state it mildly: one study reported a 703% increase in credential phishing in the second half of 2024, as compared to only a 202% increase in overall email-based phishing threats. (You know there’s a big problem when a 202% increase can be considered relatively low.) The huge increase is attributable to a combination of factors:
-
- AI-powered phishing attacks make it easier than ever for cybercriminals to generate convincing messages designed to get users to fall for fake credential requests.
- Social engineering, which has been highly effective in tricking users to click on links in phishing messages, is playing an increasing role in credential phishing.
- Multi-channel credential phishing—i.e., the use of not just email, but also SMS, social media, and collaboration platforms—increases attackers’ reach.
translated
All of the above are happening in the context of the fact that credential theft has long been, and continues to be, a low-effort, high-reward type of attack.
The good news? While credential phishing attacks are increasing, so too are organizations’ security efforts at preventing phishing—ranging from パスワードレス認証 また、 multi-factor authentication (MFA) to AI-powered defense tools. Read on to learn more about how credential phishing has evolved over time, the most common tactics used in these types of attacks, and the tools and strategies that are available to combat credential phishing.
Mid-1990s: アメリカの earliest credential phishing seems to have occurred in the mid-1990s, when fraudsters impersonated AOL employees to trick users into revealing their login credentials. While it appears their purpose was simply to avoid paying for internet access, their activities paved the way for more sophisticated, destructive, and costly scams in the future.
Early 2000s: Early-2000s credential phishing was largely still relatively unsophisticated, often relying on simplistic, mass-produced messages to get people to share their login credentials. 2003 marked the beginning of a shift in this pattern, when attackers began creating nearly identical versions of legitimate sites like eBay and PayPal to trick users into entering their credentials.
2010-2020: Spear phishing emerged in the 2010s to transform credential theft, especially at the organizational level. It works by skillfully targeting specific people with well-crafted messages that often purport to be from critical departments like HR, billing, or IT support. Business email compromise (BEC) is a type of social engineering attack that uses phishing in the form of extremely sophisticated email impersonations (such as fake requests from C-level executives) to target recipients, who are fooled into thinking they’re responding to someone in their organization.
2020-present: Credential phishing today is increasingly likely to be AI-driven, enabling attackers to generate phishing emails that are grammatically flawless, perfectly contextual, and more authentic-seeming than ever. Generative AI is also making it incredibly fast and easy to create these new, more compelling messages; according to IBM, scammers using generative AI can develop effective messages in just five minutes (instead of the hours it can take to do it manually).
In credential phishing, the attacker typically impersonates a trusted source (like a user’s employer, bank, or frequently used website) and sends the user an email, text, or other type of message aimed at getting them to take an action that will result in compromising their credentials. Within this general framework, an attacker can use a number of different tactics to conduct credential phishing attacks:translated
Deceptive emails
Deceptive emails are the typical entry point for many credential phishing attacks. These types of emails are frequently successful as vehicles for credential phishing because they appear to come from sources the recipient trusts and are therefore not likely to raise suspicions. The more genuine an email communication appears, the more successful the sender is likely to be in the attempt to exploit that trust.
The characteristics of a credential phishing attack that uses deceptive communications include:
- Impersonation: The communication seems to be from a legitimate source who is already known to the recipient.
- Persuasion: The subject line and/or first few words are written to compel a reaction such as urgency, fear, or even just curiosity. Cybercriminals thrive on urgency, as it tends to push users to react quickly rather than take the time to consider whether they should act at all.
- Deception: The message emphasizes a non-existent need for extremely urgent action.
- Actionability: Phishing emails tend to include a link or attachment that makes it easy to take the next step.
- More deception: The recipient’s action leads to a fake login page where credentials are captured.
Fake login pages
Fake login pages are one of the most common tools used in credential phishing attacks in organizational settings. They’re extremely effective in organizations that lack phishing-resistant MFA.
Attacks using fake login pages start with the attacker doing reconnaissance to find out what services of platforms an organization commonly uses (Microsoft 365 or Google Workspace, for example) and what the organization’s email formats and branding look like. From there the attacker can craft a credential phishing email that appears to be from an internal department or a known vendor and that includes a subject line meant to evoke a sense of urgency (“Password Expiring—Immediate Action Required” or “Your Invoice Is Ready—View Securely”) as well as a prominent link to a fake login page.
Once an employee clicks the link and enters their credentials on the purported login page, the credentials get forwarded to the attacker, who can then use them to log into organizational systems and move laterally through the network—exfiltrating data, planting malware, launching further BEC attacks, or phishing from a compromised account.
Multi-channel tactics
Email isn’t the only way to phish for credentials, and as users become more aware of and adept at defending against email-based credential phishing, attackers are branching out to other avenues of attack, including:
- Smishing (SMS phishing) can be used to text fake login alerts, package tracking notices, or two-factor authentication prompts to lure users into clicking a link.
- Vishing (voice phishing) consists of calls pretending to be from the help desk or IT support team that direct users to a phishing website.
- Phishing from collaboration platforms uses messages on Slack, Teams, LinkedIn, or other platforms to get users to click fake links or to download attachments that appear to be work-related content.
- QR code phishing involves sending credential phishing emails that include QR codes linking to credential-harvesting sites; using QR codes bypasses traditional link scanning filters.
Credential stuffing
Credential stuffing, in which cybercriminals use large numbers of stolen credentials to attempt logins across multiple sites, is a tactic that works in tandem with credential phishing to maximize the damage from credential phishing. The two can be used together in layered attacks in which credentials are harvested via credential phishing and then applied across targets.
For example, an attacker may phish login credentials for a Microsoft 365 account, and then use credential stuffing to try the Microsoft credentials on a variety of other sites or services—for example, Salesforce, Google (mail, docs, password manager). The attacker is basically gambling that someone is using the same credentials across multiple sites.
Password spraying
Like credential stuffing, password spraying is used in conjunction with credential phishing to maximize the reach and success of the phishing attack—especially in organizational environments. In this type of scheme, the attacker:
- Gathers a list of usernames through credential phishing
- Combines a username with an easy-to-guess password (like password123 or welcome123) to try to access multiple accounts
The most obvious reason password spraying works is that it exploits weak password hygiene; if people didn’t use easy-to-guess passwords, the tactic wouldn’t go far. It’s also hard to detect at scale without advanced monitoring tools.
Precision-validating phishing
Precision-validating phishing emerged in 2025 as a way for attackers to be sure that the credentials they steal via phishing are actually associated with valid online accounts. It uses an integrated API or JavaScript to confirm the email address in real time, before the phishing attempt occurs. Prevision-validated phishing can make credential phishing far more efficient and accurate, with little effort or energy wasted trying to use inaccurate credentials.
Credential phishing can inflict a lot of damage on an organization. The IBM Cost of a Data Breach Report found that phishing was one of the most frequent and most expensive causes of data breaches, costing an average of $4.88 million and taking an average of 261 days to contain.
But credential phishing prevention can help ensure that credential phishing attempts never get far. RSA offers a wide range of products and services in key areas related to credential phishing prevention.
パスワードレス認証
It may sound obvious, but it bears making the point: Cybercrime that relies on stolen credentials won’t work if there aren’t any credentials to steal. That’s what makes パスワードレス認証 so valuable in stopping credential phishing.
As a member of the FIDOアライアンス, RSA is dedicated to helping build a world with fewer passwords—and fewer password-related security problems. RSA passwordless authentication protects access where it matters most: at the points in the identity lifecycle that are especially vulnerable to credential-based attacks. RSA delivers passwordless with 99.99% availability, including a ハイブリッドフェイルオーバー capability that enables authentication even without a network connection, and provides a wide range of passwordless options:
- one-time passwords (OTPs)
- passkeys, including mobile passkeys
- app-based options, like push to approve
- biometrics
Phishing-resistant MFA
Just as passwordless authentication removes the credentials that credential phishing is trying to steal, phishing-resistant MFA removes the mechanism by which they’re stolen: phishing.
The RSA iShield Key 2 Series of authenticators is specifically designed to protect against credential-based attacks, delivering phishing-resistant, hardware-based MFA and incorporating a FIPS 140-3 level 3 certified cryptographic module and AAL3 hardware authentication. Benefits of the RSA iShield series include:
- Compliance with the latest federal standards for cryptographic security
- Identity security capabilities that advance Zero Trust Architecture
- FIDO2 certification for a secure and frictionless passwordless journey
- Flexible deployment and management of passkeys
Single sign-on with identity providers
Using an identity provider’s centralized authentication service for logging into multiple sites and services means attackers’ potential entry points are dramatically reduced from hundreds to just one—and one entry point is far easier to secure and monitor than dozens of different logins.
RSA My Page is the cloud-hosted SSO solution that empowers users to quickly and secure manage access to critical applications and other resources through a single convenient portal for:
- Quick user access to multiple applications with one set of credentials
- Convenient authenticator self-registration and credential self-management
- Reduced burden and minimized costs on help desk staff and IT administrators
- Shorter wait times when there’s a legitimate need for help desk assistance
パスキー
Passkeys give users a way to log into websites and applications without ever having to enter a password—making the login process both more secure (no passwords to steal) and more convenient (no passwords to remember). Passkeys are far safer than passwords because they’re never reused the way passwords are, and because they’re phishing-resistant (since they eliminate any chance of someone being tricked into signing in on a fake website).
Passkeys in the RSA Authenticator App provide passwordless, phishing-resistant authentication, delivered directly to users’ mobile devices. This passkey capability:
- Supports Zero Trust by addressing social engineering and credential phishing
- Helps organizations conform to regulatory requirements for phishing-resistant MFA
- Easily integrates into any existing IT environment
- Is device-bound, so it never leaves the device—ensuring the highest security possible
ゼロトラスト
Zero Trust fights phishing because it creates an environment in which organizations are always verifying the trustworthiness of those who are trying to access an organization’s resources. Organizations that operate according to the principles of Zero Trust make it much tougher for bad actors who want to phish for credentials to find a way in, or to move laterally beyond those credentials and elevate their privileges.
RSA supports Zero Trust by providing the components of identity and access management (IAM) that are fundamental to working within the NIST Zero Trust framework. These include:
- MFA
- Identity governance and administration (IGA)
- Risk-based analytics
- Role-based access
- Attribute-based access
AI(人工知能)
translated
While AI has been a boon to cybercriminals carrying out credential phishing attacks, it is also extremely valuable to those on the other side who are fighting to stop credential phishing. According to the 2025 RSA ID IQ Report, 78% of organizations surveyed reported having immediate plans to implement automation, machine learning, or some other form of AI in their cybersecurity stack.
RSA has developed AI-driven capabilities in authentication and access management to help organizations detect, respond to, and prevent credential phishing attacks:
- RSA Risk AI employs behavioral analytics and machine learning to detect phishing-based account takeover attempts, so IT teams can address them before they cause any damage.
RSA Governance & Lifecycle uses AI to detect anomalies in access requests, providing administrators with the information they need to prevent potentially risky access from being granted.
Credential phishing in the future is likely to involve AI, deepfake technology, and advanced social engineering, according to one 最近の報告書. That’s not surprising, given the success cybercriminals have enjoyed using these and other advanced and emerging technology-driven tactics.
But the good news is they will increasingly find themselves up against organizations that are equally dedicated to applying AI and other technologies in their efforts to repel attacks.
Today’s potential victims of credential phishing are fighting back by adopting phishing-resistant MFA and passwordless solutions, working toward zero trust, fighting AI with AI, and taking other measures to defend themselves. The 2025 RSA ID IQ Report found that 80% of respondents believed that AI will help organizations with cybersecurity over the next five years—while only a fifth felt that AI would do more to enable threat actors in that time.translated
As your organization continues to fight credential phishing, look to RSA to help, with capabilities like パスワードレス認証 (including passkeys) and phishing-resistant MFA aided by AI, all deployed in a security-first user environment that includes SSO, and all integrated into an overall commitment to the Zero Trust principles that are essential to cyberdefense today and will remain critical in the future.translated
